FirewallD and MASQ Issues

Issues related to configuring your network
sbuchanan0613
Posts: 3
Joined: 2018/04/25 20:48:02

FirewallD and MASQ Issues

Postby sbuchanan0613 » 2018/04/25 20:59:47

Good Afternoon,

I have an external facing Cent 7.4 (1708) machine with an external IP that is setup with certain NAT rules to push some SSH traffic into my internal network. On the landing point machine I have fail2ban running to ban unauthorized IPs from being able to brute force their way into the machine. The only way i have been able to figure out how to NAT to this machine also includes enabling masquerading which defeats the purpose of having fail2ban running on the landing point machine because it changes the source IP to the IP of the external machine doing the routing. Obviously with my white listing this in turn makes fail2ban inoperable. My question is. . . How can i set this up in a fashion where I dont have to use masquerade on the NATd' connection so that the source IP isn't hidden by the CentOS 7 firewall/router?

Thanks,
Steve

hunter86_bg
Posts: 1103
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: FirewallD and MASQ Issues

Postby hunter86_bg » 2018/04/26 06:20:24

I don't think that you can do it without masquarade enabled.
You have 2 options:
1. Run fail2ban on this CentOS 'router'
2. Set iptables in such way, so you need to 'knock' on specific ports (outside) in order to whitelist your ip and thus get forwarded inside (or even get an icmp echo reply).
There are plenty of examples for using port knocking with iptables - here is an example.

sbuchanan0613
Posts: 3
Joined: 2018/04/25 20:48:02

Re: FirewallD and MASQ Issues

Postby sbuchanan0613 » 2018/04/27 14:12:33

Hunter,

Thank you, I will look into this. I appreciate the feedback.

Steve

sbuchanan0613
Posts: 3
Joined: 2018/04/25 20:48:02

Re: FirewallD and MASQ Issues

Postby sbuchanan0613 » 2018/05/07 20:43:43

Hunter,

I just wanted to update the community. I was able to get this working by setting masquerading within iptables while having the forwarding rules setup on firewalld. Now traffic is being NATTd to my internal host with the actual source IP rather than the forward host ip. I'm not sure if this is supposed to work like this however its doing exactly what I want.

Regards,
Steve